Immigration and Refugee Board of Canada wrongly disclosed intimate and medical information to an employee’s management team via a fitness to work report

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint concerning the Immigration and Refugee Board of Canada's (IRB) improper disclosure of an employee's sensitive medical information to their management team. The IRB shared a "Fitness to Work" report containing intimate medical details without the employee's consent and beyond what was necessary for accommodation. The OPC found that while some information disclosure was consistent with the purpose of collection, the disclosure of highly sensitive medical information was not, thus contravening the Privacy Act. The IRB has since updated its policies and tools, but the OPC found the complaint to be well-founded and not adequately resolved, urging the IRB to implement its recommendations, including training and a meaningful apology.

• Whether the IRB obtained the complainant's consent to disclose their medical information.
• Whether the disclosure of the medical information in the FTW report to management constituted a "consistent use" under paragraph 8(2)(a) of the Privacy Act.
• Whether the IRB's disclosure practices complied with the Treasury Board Secretariat's "Standard" on fitness to work evaluations.
• The adequacy of the IRB's response to the OPC's recommendations.